Habituation as cybersecurity nightmare and panacea

A number of studies
confirmed that people often have a tendency to find ways to work around
organisational cybersecurity policies. This is
actually not something that they do on purpose
but rather based on their habits. In other words, this behaviour is an effect
of bad habituation.

Achieving individual objectives and finding the way of least
resistance is the key driver for many employees when approaching working responsibilities.
For example, cybersecurity warnings are used to inform the users on the risks
of allowing potentially harmful applications to run on a particular computer.
However, the practice shows that most of the users tend to ignore those
warnings as they are appearing over and over again. This behaviour eventually leads
to bad habituation.

Among others, a bad habituation is explored by hackers sending
out about 156 million phishing emails every day. This results in more than 80,000 people falling
victims to phishing emails daily. As phishing emails are getting increasingly
convincing, the number of these attacks increased by nearly 300% in 2018!

A few days ago the US Customs and Border Protection (CBP)
announced that an unnamed subcontractor transferred copies of license-plate
images and travellers’ photos from federal servers to its own company network,
without CBP’s authorisation. The major concern is that it is not just the
breadth of the stolen data but also the number of people exposed by this erroneous
behaviour.

Another recent example warned
that, despite the huge level of media attention on the ‘WannaCry’ attack, which
hit the NHS and many UK organisations, more than half of UK workers do not know
what ransomware is.

Have people forgotten to think critically or they have not
been thought to do so? In fact, one of the problems is that many users ‘suffer’ from a form of
‘cyber autism’. They simply ignore warnings as well as periodic
awareness campaigns and training sessions and continue working out of firmly
established unsafe habits.

Cultivating cybersecurity habituation

Habituation can be broadly described as a kind of learning
that occurs when we become accustomed to a stimulus and stop reacting to it. Most
would probably agree that our habits impact us throughout our lives. What we
repeatedly do will ultimately form our long term habits also known as unconscious
behaviour.

For example, we may feel distracted by a noisy sound
produced by an old printer but when we spend more time inside the room, we tend
to ignore the annoying sound – even though it is still there. This happens due
to habituation, which simply means that we tend to ignore the stimulus to which
we have been exposed too many times.

The exact behaviour exhibits during human errors that result
in cybersecurity breaches. We do not pay attention to or simply ignore security
warnings. Indeed, many studies confirm that more cybersecurity incidents were
caused by unintentional mistakes rather than malicious acts. These
unintentional mistakes are the consequence of habitual behaviour that promotes
an unconscious response.

Is than changing habitual behaviour possible?

Definitely, yes.

However, it is easier said than done as changing habits goes
through the same process as habit formation: repetition.

New situations create new behaviour that is often guided by
conscious intention, but with continuous repetitions, that behaviour becomes ‘written’
into the subconscious mind. The
significance of this practice lies in the fact that 95% of our behaviour is
reliant on the subconscious mind. Hence, it is important to focus on both subconscious
habitual behaviour and on 5% of the conscious mind.

However, changing
behaviour requires more than providing information about risks and
reactive behaviour. Firstly, people must be able to understand and apply the
advice, and secondly, they must be motivated and willing to do so – and the
latter requires changes to attitudes and intentions.

In that regard, the key factor for raising awareness and
changing people’s behaviour is – motivation. If we want people to behave in a
certain way we need to motivate them. In other words, we have to understand why
employees do certain things and then to select an optimal persuasion method for
changing their behaviour. That includes identifying the behavioural drivers.

Also, not all security warnings that we see on our computer
screens are positive. There are still lots of ‘false flags’, which in many
users cause a ‘cybersecurity
fatigue’ symptom. It manifests itself in much the same way in what
psychologists call ‘decision fatigue’ or ‘ego depletion’. It drains our mental
energy making us less resistant to real dangers and lures us to do things
without real consideration for consequences.

Under fatigue, we tend to make ‘escaping’ decisions, which
often results in dangerous habitual behaviour. Building an appropriate cybersecurity
personal ‘hygiene’, awareness and culture can be a good answer to the
cybersecurity fatigue threats.

Cultivating habituation ultimately means safer organisations
– at least when the weakest cybersecurity link, human factor, is concerned.
This should be a decisive guideline for those that design cybersecurity awareness
and training programmes.

Minding all the above, we at VM Advisory must reaffirm that
cybersecurity is increasingly necessitating both multidisciplinary and
multi-stakeholder approach. Relying solely on technology will not make us safer
in the cyberspace.